Help with blocking Rule!



  • Hi, I have this networks

    LAN -> 10.0.10.0/24
    DEVELOPERS_VPN -> 10.0.1.0/24

    I just want to allow access to one IP but I tried any way to block the access to an IP or a subnet without any success.

    My connection to the VPN is fine.

    Here is a proof of the problem, I try to block the IP 10.0.10.3 but I can still ping it and also I can loggin with RDP(it's a windows machine) and as you can see I setted "any" in the proto property.

    I've been doing something wrong?



  • You have your rule set to pass instead of block.  Edit your rule and set "Action" to Block.



  • @marvosa:

    You have your rule set to pass instead of block.  Edit your rule and set "Action" to Block.

    I did tried that way and it doesn't work, the rule on the screencapture should work to block traffic only for 10.0.10.3 (look at the negation operator behind the IP address) and it also doesn't work.

    Any ideas?



  • My guess is you probably missed a step.  Because right now your rule is a pass rule.

    Go back and edit that rule again, change pass to block, and hit save.  At this point, it shows you the rule you created and you should see that the icon that once was a green triangle (pass) turned into a red "x" (block).  After that, you still have to hit "Apply Changes" or the rule changes never get implemented.



  • @marvosa:

    My guess is you probably missed a step.  Because right now your rule is a pass rule.

    Go back and edit that rule again, change pass to block, and hit save.  At this point, it shows you the rule you created and you should see that the icon that once was a green triangle (pass) turned into a red "x" (block).  After that, you still have to hit "Apply Changes" or the rule changes never get implemented.

    Like I told you, I tried that way and the way I'm doing should work also.

    Look at this

    If there is no "allow any any" rule, I wont be able to connect to internet as usual.

    I also tested it without the "allow any any" rule and it doesn't block traffic to IP 10.0.10.3

    Any other idea?



  • Ok, I tested on my end, the only difference is I used "any" for a source.  I experienced the same behavior, but I believe I now know what the issue is.  The rule looks ok, but it's still allowing communication because the states still exist for everything that used to connect to that IP.  In my own testing, as soon as I removed the state from the IP I wanted to block, the constant ping I had going stopped immediately.

    So, go to Diagnostics -> States then filter by 10.0.10.3 and remove all states associated with that IP or you can go to the "Reset States" tab and remove all states at once.

    This should solve your problem.



  • @marvosa:

    Ok, I tested on my end, the only difference is I used "any" for a source.  I experienced the same behavior, but I believe I now know what the issue is.  The rule looks ok, but it's still allowing communication because the states still exist for everything that used to connect to that IP.  In my own testing, as soon as I removed the state from the IP I wanted to block, the constant ping I had going stopped immediately.

    So, go to Diagnostics -> States then filter by 10.0.10.3 and remove all states associated with that IP or you can go to the "Reset States" tab and remove all states at once.

    This should solve your problem.

    It worked but in a weird way. I can still ping 10.0.10.3 but then I changed the unallowed IP to 10.0.10.8 and applied, then I couldn't ping 10.0.10.8, worked as expected. But then I deleted the block rule for 10.0.10.8 and applied but I couldn't still ping 10.0.10.8.

    Also tried restarting OpenVPN service, also reset the states and nothing.

    A bug maybe?


  • Banned

    Reboot



  • @doktornotor:

    Reboot

    I can't reboot, I have some services running with connections.

    I think the rules take some time to make effect.

    Anyone has been through this?


  • Banned

    Well, if you cannot reboot, then wait.


Log in to reply